May 11, 2026

Case in Point: AI Lawsuit Example

AI and genetics

Case in Point: Tempus AI and Ambry Genetics lawsuit highlights growing risks associated with using sensitive data

By Caroline Popper, Corporate Associate

 

The intersection of artificial intelligence and healthcare continues to generate both innovation and legal scrutiny. A class action lawsuit against Tempus AI, Inc., following the company’s acquisition of Ambry Genetics Corporation, raises important questions for healthcare companies, technology firms, and patients.

 

Bottom Line:

The Tempus AI litigation is a clear reminder that data-driven innovation—particularly involving genetic information—must be balanced with strict compliance obligations. As regulators and plaintiffs continue to focus on privacy rights, organizations operating in this space should proactively reassess their data practices to mitigate risk.

 

About the Acquisition

Tempus AI, a Chicago-based precision medicine company, acquired Ambry Genetics in 2025. Ambry, a genetic testing company, had a large database of genetic information derived from patient testing. According to the complaint, Tempus integrated this data into its broader AI-driven platform following the acquisition.

 

The Class Action Allegations

In 2026, plaintiffs filed a class action lawsuit in the U.S. District Court for the Northern District of Illinois alleging violations of the Illinois Genetic Information Privacy Act (GIPA).

The core allegations include:

  • Unauthorized transfer of genetic data
    Plaintiffs claim that Tempus required Ambry to transfer its entire database of genetic information as part of the acquisition without obtaining new, written consent from patients and that the prior consents were not operative.
  • Improper disclosure to third parties
    The complaint further alleges that Tempus disclosed genetic data to numerous third parties—including pharmaceutical and biotechnology companies—without the required authorization.
  • Statutory violations under GIPA
    GIPA generally requires explicit written consent before genetic information can be collected, used, or disclosed, and restricts redisclosure without additional authorization.

 

Key Legal Issues

This litigation raises several legal questions:

  1. Does acquisition override consent?
    A central issue is whether a company acquiring another entity gains lawful access to previously collected genetic data without obtaining renewed patient consent.
  2. Limits of “de-identified” data
    The case also highlights skepticism around whether genetic data can truly be anonymized. Even “de-identified” datasets may still be traceable to individuals given the unique nature of DNA.
  3. Scope of liability under GIPA
    Like other biometric and genetic privacy statutes, GIPA provides for statutory damages, which can scale significantly in class action lawsuits and create substantial risks for companies handling sensitive data.

 

The Risks

For healthcare providers, biotech companies, and AI-driven data platforms, this case underscores several compliance risks:

  • M&A due diligence must include data consent review.
    Acquiring companies should not assume that existing patient consents transfer automatically.
  • Data-sharing practices require strict controls.
    Agreements with third parties—particularly in research and pharmaceutical collaborations—must align with applicable privacy statutes.
  • State privacy laws are expanding enforcement risk.
    Laws like GIPA are increasingly being used by plaintiffs to challenge data practices, similar to trends seen under biometric privacy laws.

 

Why Your Legal Team Matters

  • Carefully review consent frameworks when acquiring or integrating datasets.
  • Downstream data-sharing practices with vendors and partners should be audited.
  • Be vigilant in a new AI and data-security reality for developments in privacy litigation and enforcement.
  • Implement governance structures for AI models trained on sensitive data.

 

Potential Impact and Outlook

The plaintiffs in the Tempus case are seeking statutory damages, injunctive relief, and class action status, which could significantly increase financial liability if the class is certified.

More broadly, this case signals heightened scrutiny of how companies monetize or leverage sensitive data, especially health data.

 

Questions?

If you have questions about how regulations may affect your organization or would like assistance reviewing your privacy and data governance policies, our team is available to help. Nemphos Braue attorneys take these and other related matters into consideration to address your unique situation. Don’t wait until it’s too late.

Tags:

 Recent Highlights

View All